Online Bank Fraud Mastermind Failed to Cover Tracks

Memo to would-be cybercriminals: Want to move stolen money internationally to bank accounts that you control? Need to route funds to a few money mules to get it laundered? Don't do it from a system tied to an IP address registered to your home.

That's one obvious takeaway from the case of Tomasz Skowron, 29, who British police connected to £840,000 ($1 million) in online banking fraud that targeted organizations around the world, perpetrated with the help of malware.

Police say they linked Skowron to a series of attacks that targeted organizations in Australia and Britain after following the stolen money back to a U.K. bank account that was used to transfer payments into the accounts of money mules - those who receive stolen funds and transfer the cash to fraudsters for a fee. Such money mules, who are sometimes recruited via work-at-home scams, are often used to cash out cybercrime proceeds.

But the London Metropolitan Police's Falcon cybercrime unit, which investigates fraud and other crimes that have an online component, says Skowron also transferred some of the illicit proceeds into accounts that he not only directly controlled but also accessed from a home computer, thus enabling authorities to identify and arrest him.

"Skowron played a significant part in a wider criminal network that was responsible for several high-value frauds using malware," says Detective Constable Jody Stanger, a member of the Met's Falcon unit, who helped investigate the case. "The proceeds of this fraud were then laundered through an organized money mule network."

Police say they ultimately tied Skowron's criminal network to online attacks against two unnamed U.K. construction companies in April 2014, perpetrated after employees inadvertently downloaded malware on their systems. Authorities say the malware gave attackers access to victims' bank account details, which they used to log into the accounts and steal a total of about £500,000 ($620,000) and then transfer the money to accounts owned by the criminal network. But police say they were ultimately able to trace £39,000 ($36,000) of the stolen funds to an account that Skowron opened just nine days before the theft took place.

The Met Police declined to comment on which malware or types of malware Skowron and his associates used against victims.

Bank Intelligence Paid Off

At the time, however, police evidently didn't know who the culprit was. But their big break appears to have arrived following a series of December 2014 malware infections that led to the theft of funds from some accounts in Australia. Thanks to intelligence shared by the banking industry, police say they were able to follow the money after it had been illegally transferred out of Commonwealth Bank of Australia accounts into U.K.-based bank accounts.

"Working closely with the banks involved, officers managed to identify a common IP address that was linked to several of the payments made into U.K. accounts," the Met Police say. "Further inquiries led officers to identify that the IP address was registered to Skowron's address."

Met police detectives arrested Skowron on Dec. 9, 2014, seized multiple computing devices and phones in Skowron's possession and subjected them to digital forensic analysis. Police say these revealed the transfers to money mule accounts, while text messages - some of which Skowron attempted to delete or hide from detectives - revealed that he was working with 31-year-old Piotr Ptach in Britain to recruit the mules.

In November 2015, Ptach pleaded guilty at Southwark Crown Court to fraud and money-laundering offenses. In March, he was sentenced to three years' imprisonment.

Skowron was ultimately charged in June 2016 and pleaded guilty to conspiracy to defraud, fraud as well as various money-laundering charges. He was sentenced Dec. 19 at Croydon Crown Court in England to five years and three months' imprisonment.

Anonymity Fail?

What's not clear is if Skowron attempted to use a VPN service to attempt to hide his identities or activities, or if he simply made the mistake of logging into bank accounts that handled stolen funds from his home PC, thus leaving an easy-to-follow trail.

Regardless of whether Skowron used a VPN, however, they're no silver bullet against police investigations. Indeed, British police have previously obtained user details from such services.

British VPN service HideMyAss.com, for example, says it shared details with police in 2011 after leaked IRC chat logs revealed that members of the LulzSec hacking crew used its service. "As stated in our terms of service and privacy policy, our service is not to be used for illegal activity, and as a legitimate company we will cooperate with law enforcement if we receive a court order (equivalent of a subpoena in the U.S.)," the company said in a blog post at the time.